WordPress Contact form 7 spam protection using Honeypot plugin

📂 Category: WP Plugins

🖺 Last modified: 4th Feb 2020

💻 Experience: Beginner

🕑 Read Time: 4 min

Few days after releasing a new website on the web, administrators usually start noticing spam messages in their e-mail inbox coming trough the website’s contact form. In the beginning it’s one message month, some time later two or three per week. Before it becomes dozens of spam messages per day, we suggest to install Contact form 7 spam protection WordPress plugin called Honeypot.

About Contact form 7 spam protection

With over 5 million active installations, Contact form 7 is by far the most used contact form plugin for WordPress. We estimate over 65% of all WordPress websites use this plugin. With various add-on options available it becomes a really powerful contact form building tool. Beside all it’s advantages, Contact form 7 doesn’t come with integrated spam protection functionality by default. This article is intended for all Contact form 7 users tired of deleting junk from their e-mail inbox on a daily basis.

The very moment a website is released live, it becomes a target for various spam bots crawling the web. Those spam bots look for various forms on the website such as contact forms or comment forms. Once they find form fields, spam bots fill them up and leave messages often containing malicious links. Those links, if accidentally or intentionally clicked can do significant harm to the computer. Other, less harmful messages will often contain promotion offers, still filling your inbox with unnecessary junk.

In the first months after a website is released public, very few spam bots will discover it. There won’t be more than a couple of spam messages per month in your inbox. In the beginning, those spam messages are a good sign that the website is easily discoverable on the web. It means search engine bots will also easily find and index your website. As time goes by, spam messages will become more and more frequent and numerous. Before it happens make sure you have enabled Contact form 7 spam protection.

Contact form 7 spam protection methods

The most popular method of protecting contact forms from spam and junk robots is reCAPTCHA in one of it’s many versions. ReCAPTCHA adds an additional mandatory field to the contact form with a task to fulfill. Task such as adding numbers, retyping letters or clicking objects on photos are difficult to perform for spam bots. Since submitting the contact form without fulfilling the task is impossible, this method of spam protection is quite effective. There are couple of WordPress plugins available to add ReCAPTCHA spam protection to Contact form 7.

The downside of using ReCAPTCHA as Contact form 7 spam protection is more time for visitors to submit the form. Sometimes is difficult to retype the letters correctly or exactly click objects on ReCAPTCHA images. In some situations visitors will have to repeat the process which can be repulsive. In the latest version of ReCAPTCHA is enough to confirm one checkbox which facilitates the process, but it’s still one click more for the visitors.

Therefore, we suggest using the Honeypot plugin as as Contact form 7 spam protection. This method of spam bot protection doesn’t require any action from website visitors and doesn’t visually affect the contact form.

Honeypot for Contact form 7 WordPress plugin

With over 300.00 active installations, Honeypot for Contact form 7 is one of the most used spam protection plugins for WordPress. The guys from Nocean figured out an inventive way to foul spam bots and stop them from sending messages trough contact forms. Their idea was to add a text field to the contact form, invisible to visitors on the front end, but visible to robots as they scan the page code. To submit a message, this field must stay empty, otherwise the form won’t validate. When visitors fill the form, the Honeypot field will stay empty since its invisible. Spam bots will see the field in the code and fill it with text, which will automatically disable the form submission. From our experience, this Contact form 7 spam protection method works in 99.9% of the cases. We prefer this method over ReCAPTCHA and suggest using it.

Contact form 7 spam protection using Honeypot plugin

Contact form 7 form editor after the integration of Honeypot spam protection.

Upon installation, Honeypot seamlessly integrates into Contact form 7, with no settings to configure. The only thing to do is to manually add the Honeypot field to your contact form and let the magic happen.

Download the Plugin

Best practices of Honeypot implementation

For best Honeypot performance and maximum protection against spam, there are a couple of good practices. Firstly, insert the Honeypot field near the “Name” and “E-mail” fields to maximize the probability that spam bots will fill the field. Secondly, change the generic name of the Honeypot field into something more human and accordingly more compelling for robots to fill. The Honeypot field name is used as class for the field element in the page code so make it sound inviting to fill. Make sure the field name is not the same as any already in use by the contact form.

Here are a couple of Honeypot shortcode examples with customized field name:

  • [honeypot email-address]
  • [honeypot contact-email]
  • [honeypot fill-name]
  • [honeypot sender-name]
  • etc.

More anti spam protection for your WordPress website

WordPress website administrators deal with a lot of spam messages sent trough comment forms. Comment forms are integrated by default into WordPress post templates and they are easy targets for spam bots. If your website doesn’t rely on visitor comments, consider disabling comments completely. To know more, read our guide on disabling comments in WordPress.